Domain 1 - Cloud Concepts/Architecture/Design

Question 1

What are the characteristics of cloud computing?

Answer 1

• Ubiquity
• Convenient
• On Demand network access to shared pool of computing resources
• Self Service

Question 2

What are the Service Models?

Answer 2

1. Software as a Service
2. Platform as a Service
3. Infrastructure as a Service

Question 3

What are the various Deployment Models?

Answer 3

1. Public Cloud
2. Private Cloud
3. Community Cloud
4. Hybrid Cloud

Defines who owns and controls the underlying infrastructure.

Question 4

What are the key characteristics of Public Cloud?

Answer 4

-Available to anyone who purchases the services.
- Multi-tenant
Concerns: Privacy, Security, Vendor lock-in

Question 5

What are the key characteristics of Private Cloud?

Answer 5

• Single-tenant - Available only to a single organization
• Maybe located on-prem or hosted by a CSP.
• Ideal for files and data that are too sensitive to put on a public cloud (perceived to be more secure).
• Secure wipe of data is possible
  Downside: More expensive

Question 6

What are the key characteristics of Community Cloud?

Answer 6

• Multi-tenant but limited to a group of companies or individuals (e.g. Universities or Governments)
• Maybe hosted by one organization with access provided to others.

Question 7

What are the key characteristics of Hybrid Cloud?

Answer 7

• Normally a combination of private and public clouds in whatever way makes sense to the business.
• Example, primary system is in a private cloud with backups stored in a public cloud (OR) sensitive data in a private cloud, with less sensitive data (email) in public cloud.
• Orchestration becomes important to keep it manageable.

Question 8

What are the various cloud computing roles?

Answer 8

1. Cloud Service Customer
2. Cloud Service Provider
3. Cloud Service Partner
4. Cloud Service Broker

Question 9

Who is a Cloud Service Provider?

Answer 9

• Company or entity offering cloud services (e.g. AWS)

- May offer SaaS, PaaS and IaaS

Question 10

Who is a Cloud Service Partner?

Answer 10

A third party offering cloud-based services using the associated CSP.

Introduces customers to the cloud more easily.

Example - Dropbox using its infra mostly and extending to AWS in regions where it does not have presence.

Question 11

Who is a Cloud Service Broker?

Answer 11

Broker packages services in a manner that benefits customer making cloud adoption easier for customer. Three primary tasks:

1. Aggregate services from multiple CSPs.
2. Integration with existing infrastructure (cloud/non-cloud)
3. Customization of services that a CSP may not do.

Question 12

What are the characteristics of Cloud Computing per NIST definition?

Answer 12

• On Demand Service; near instantaneous; self service; automated; problem of Shadow IT.
• Broad network access (needed to access cloud); problem of insecure protocols (e.g. FTP, HTTP)
• Multi-tenancy; risk of one tenant’s actions impacting another
• Rapid Elasticity and Scalability; resources scale, pay-as-you-go; risks for CSPs who must plan enough capacity
• Resource Pooling; risks as hypervisor compromise could lead to exposure
• Measured service - metering usage

Question 13

What are the building block technologies of cloud computing?

Answer 13

1. Virtualization - hypervisor
2. Storage - SANs and NASs; risks data deletion in shared storage
3. Networking - use of internet to access cloud; data encryption in transit needed
4. Databases - multiple types available
5. Orchestration - organization use of multi-cloud, multiple SaaS; orchestration is the glue which keeps it all together; programming and automation; e.g. of AWS CloudFormation

Question 14

What is the NIST Reference Architecture?

Answer 14

Defined in SP 500-292.
RAs enable interoperability of cloud services from different vendors
NIST RA is role based - 5 Roles
1. Cloud Consumer (can consume Saas, PaaS or IaaS services)
2. Cloud Provider
3. Cloud Auditor
4. Cloud Broker
5. Cloud Carrier (provider of connectivity to cloud)

Note: that it does not mention Cloud Partner; it also has an extra Cloud Auditor role.

Question 15

What are cloud service capabilities?

Answer 15

A different way to look at cloud service models (SaaS/Paas/Iaas).

While SaaS/Paas/IaaS is defined by NIST, the cloud service capability types are defined by ISO/IEC.

There are three:

1. Application Capability Types
2. Platform Capability Types
3. Infrastructure Capability Types

Question 16

Under cloud service capability, what is Application Capability Type?

Answer 16

Ability to access an application from a variety of device types - e.g. thin client, web etc.
Responsibility of supporting various device types belongs to the application.
User gets a seamless experience

Question 17

Under cloud service capability, what is Platform Capability Type?

Answer 17

A platform has the capability of deploying solutions through the cloud. e.g. AWS Elastic Beanstalk

User can modify the solution, but not the underlying infrastructure.

User has access to dev tools tailored to that cloud environment.

Question 18

Under cloud service capability, what is Infrastructure Capability Type?

Answer 18

An infrastructure customer cannot control the underlying HW, but can control OS, installed tools, solutions, and provisioning of compute, storage, network etc.

Example, a typical EC2 customer.

Question 19

What are key considerations in the use of multi-cloud?

Answer 19

• Interop - avoiding vendor lock-in
• Portability - move data and architectures between clouds; no loss of metadata
• Reversibility - measures the extent cloud services can be moved between clouds
• Availability (Service availability, elasticity, scalability)
• Security (data, application and infrastructure)
• Privacy
• Resiliency (BCP, DR)
• Performance (measured thru SLA)
• Governance (Policies, procedures, controls)
• Maintenance and Versioning
• Service Levels and SLAs (mostly standard for all but the largest customers who can negotiate).
• Auditability (verifies effectiveness of controls)
• Regulatory (governance needed to ensure requirements are met) - three types a) law b) contracts and c) standards

Question 20

What are some of the transformative technologies made possible by the cloud?

Answer 20

• Machine Learning
• Artificial Intelligence
• Blockchain
• Internet of Things
• Containers
• Quantum Computing

Question 21

What are the three types of access controls?

Answer 21

Physical, Administrative and Technical.

Physical - CSP’s domain. Protects access to data centers

Administrative- customer’s domain. Determines who can access the system, how access is logged etc.

Technical controls - shared. CSP Provides IAM system, customer is responsible for provisioning/deprov.

Question 22

What is contextual-based security?

Answer 22

Level of access determined by identity, location, time of day, endpoint type, corporate network/external network, and other such factors.

Question 23

What are the benefits of ingress/egress monitoring?

Answer 23

Ingress control - prevents unwanted external access attempts, allows only response to initiated requests

Egress control - prevents data loss; malware cannot reach C&C servers.

Question 24

What’s the difference between Type I and Type II Hypervisors?

Answer 24

Type 1 - runs directly on the host’s hardware - e.g. Hyber-V, VMWare EXSi, or Cytrix Xen-server. Also called Bare Metal hypervisors. Difficult to setup.

Type 2 - runs on an operation system atop the OS. Easier to setup, but less secure. e.g. VMWare Workstation/Player, VirtualBox. Also called Host OS Hypervisor.

Question 25

What are the tradeoffs with containerization technologies?

Answer 25

Containers are lightweight, portable, scale easily, and lend themselves to agile development.

However, they are prone to security issues as a result of inadequate IAM and mis-configurations.

Question 26

What are the stages of data in a data lifecycle?

Answer 26

Six stages:

1. Create
2. Store
3. Use
4. Share
5. Archive
6. Destroy

Question 27

What’s the difference between BCP and DRP?

Answer 27

Business Continuity Planning - focus on keeping the business running following a disaster. BCP focuses on space, personnel, technology, processes and data.

Disaster Recovery Planning - focus on returning to normal business operations. Focus on data backups.

Question 28

What are functional security consideration in the use of cloud?

Answer 28

• Portability
• Interoperability
• Vendor Lock-In

e.g. If AWS CloudTrail is used to implement Governance, Risk Management and Compliance, moving to another cloud would require re-writing that functionality.

You may use GuardDuty and AWS Config in AWS. But when you move to another CSP, they may not have the same services.

Question 29

What are the layers of an architecture stack?

Answer 29

Data
API
Applications/Solutions
Middleware
Operating System
Virtualization (VMs, Virtual LANs)
Hypervisor
Compute & Memory 
Data Storage
Networks
Physical Infrastructure

Hypervisor on down, security responsibility rests with the CSP.

Question 30

What are the security responsibility in a SaaS service?

Answer 30

Customer is responsible for the data, and APIs.
User is responsible for secure transfer of data to SaaS provider; login creds/MFA etc.
May also be responsible for customization.

Question 31

What are the security responsibility in a PaaS service?

Answer 31

PaaS provider responsible for infra, OS, networking, virtualization and platform tools etc.

Developer responsible for security of application, data used by the application, user access, APIs etc.

Question 32

What are the security responsibility in a IaaS service?

Answer 32

CSP responsible for physical security of hw components, networking, virtualization (e.g.hypervisor).

Customer responsible for OS level and up.
This includes safely configuring the SW (OS, Tools and Apps), responsibility for patching and updating tools and OS they install, IAM, user data, security of data at rest and in motion.

Question 33

What are a few key global standards for the cloud?

Answer 33

ISO/IEC 27001 - Security Management Standard
ISO/IEC 27017 - Cloud Specific Controls
ISO/IEC 27018 - Personal Data Protection
ISO/IEC 27701 - Privacy Information Management

Question 34

What is Common Criteria?

Answer 34

CC is an international set of guidelines (ISO/IEC 15408) and specifications to evaluate information security products.

CC has two parts: Protection Profile & Evaluation Assurance Level

PP: defines standard set of security requirements for specific product type such as firewall. It is pre-defined template.

EAL: Levels 1 through 7; measures amount of testing done on product

Testing done by independent labs.

Question 35

In the FIPS 140-2 standard, what’s the difference between FIPS validated and FIPS compilant?

Answer 35

FIPS validation requires testing by external labs - there are four levels of testing.

There are 21 “Cryptographic Module Testing Laboratories” that are accredited by NIST under the National Voluntary Laboratory Accreditation Program to perform such validations.

Question 36

What is a threat vs vulnerability vs risk?

Answer 36

A threat exploits a vulnerability and can damage or destroy an asset.

Vulnerability refers to a weakness in your hardware, software, or procedures. (In other words, it’s a way hackers could easily find their way into your system.)

And risk refers to the potential for lost, damaged, or destroyed assets.

Question 37

What are the differences between the FIPS 140-2 Levels?

Answer 37

1. Level 1 - basic security, no physical security mechanism (e.g. PC encryption board).
2. Level 2 - Requirements for physical security (i.e. tamper evidence coatings/seals/labels).
3. Level 3 - Tamper resistance - e.g. detection/response - e.g. zeroising the module upon detection
4. Level 4 - physical security provides complete protection; can detect and zerioize upon any intrusion including environmental changes (e.g. voltage/temperatures). Normally for unprotected environments.

Question 38

What class of information does the FIPS-140-2 standard designed for?

Answer 38

• Sensitive but unclassified information (SBU).

- Not to be used for Secret, Top Secret or Sensitive Compartmentalized Information (SCI).